Guccifer 2.0: Game Over - Six Months In

By Adam Carter --- August 4th, 2017

Introduction

Update (June 3rd, 2018)

This article states that a computer with a copy of Microsoft Word registered in Warren Flood's name was likely used by Guccifer 2.0. Since this article was published it has been discovered that Flood's name actually came from a document attached to one of John Podesta's emails.

For those who are unaware of the research I've carried out and reported on over the last six months, please check this site's homepage out before proceeding (FAQs at the bottom and the information available in the additional articles are all worth considering too).

Likewise, if you haven't heard of the Forensicator and his analysis, please check out Disobedient Media's article on his work and check out the Forensicator's blog(it's worth checking out the comments there as well as he directly answers a lot of questions from those challenging his conclusions).

Only leaked documents that were of minimal impact. Most were old/outdated and never harmed DNC leaders or impacted negatively on Hillary Clinton's campaign; the main people harmed were those whose personal details were leaked (approx. 50,000 Democratic party donors).

Deliberately placed "Russian fingerprints" in a sequential manner in two sweeps on multiple files that he released on June 15th 2016 (starting off with a pre-tainted template using a Russian language stylesheet and then writing Russian language metadata when opening and copying in content from original documents in separate sessions apparently only ~30 minutes after the files were created. The date/author/etc metadata could also be stripped out completely and we would still have indicators showing how the files were constructed from a pre-tainted template using just RSID data alone. There is absolutely no way the files could have ended up like this through accidental mishandling of original documents.

Created the initial pre-tainted template documents using a copy of MS-Word apparently registered to Warren Flood under the GSA license (suggesting it was installed when he worked at a Federal facility - and the only record of such circumstances existing seem to be from when he was working in Vice-President Joe Biden's office during 2010-2011. This could suggest several things:

Flood's involvement. (But he wasn't working directly for the DNC after 2011.)

Released files that were not consistent with the content or format of the data released by WikiLeaks and never exposed any revelations he should have known about (if he was really the source) ahead of WikiLeaks publishing anything, which suggests he was not the source for what WikiLeaks published.

Used inconsistent and low-effort attempts to mask this and try to appear, stylistically, like a Russian (using a Russian smiley in 2-3 instances, the first being on the day he appeared) and referring to hacks as 'deals' in one isolated interview, along with mangling sentences in a way that does not suggest he was Russian. (The only language expert willing to be cited without being anonymous was professor M.J. Connolly from Boston College and he stated that Guccifer 2.0 lacked any traits he would expect to see from a Russian communicating in English!)

Actually did more to generate negative headlines about leaks and leaking than anything else and was already generating multiple negative headlines about WikiLeaks even before its DNC Leaks were released. - Examples before Wikileaks had even published, included:

Overall, it seems fair to suggest that this looks a lot like it was initially an operation intended to undermine WikiLeaks and pre-emptively taint its reputation (and the reputation of the upcoming leaks Assange first raised awareness of on June 12th 2016) by introducing a "Russian hacker" persona and having it forge a perceived association between itself and WikiLeaks (and, in DMs to Robbin Young, apparently with Seth Rich, posthumously, too) as a way to "poison the well" so that, even if Seth Rich was demonstrated to be the leaker, he could be discredited due to a supposed connection to a Russian hacker and doubt could be raised on the veracity of the documents he released).

From assessing Guccifer 2.0's actions, behavior, stated intent and contradictions therein, along with capabilities demonstrated, the false claims that were exposed and more, it's not too difficult to find a pool of individuals in two groups that had a motive aligning with this (or that were hired by those that had such motives around that time).

Of those, two people from a firm hired by the DNC seems likely to have had the skill-set demonstrated by the Guccifer 2.0 operation (in terms of misdirection, setting up the masquerade, cyber security experience, etc), and those two are CrowdStrike's Shawn Henry and Dmitri Alperovitch.

Even without attributing names to the subterfuge, we have enough to argue that there is considerable reasonable doubt about Guccifer 2.0's identity and we can show there are ample reasons to suspect that attributions that an embarrassing number of high-profile cyber-security firms made in relation to this are likely to be significantly flawed, especially those that express confidence in Guccifer 2.0 being a Russian and/or working for/with GRU/FSB/etc based on what we've now shown was a masquerade.

I do have a plan to test my interim attribution conclusions further (and will report on the experiment and results, regardless of what it shows, as soon as it has been completed).

It has been a relief to know that Forensicator's (and subsequently a little of my own) research has been noticed by intelligence veterans.

For me personally, just having more experts examine the work and judge it on its merits is half the battle won (as I personally feel that both Forensicator and I can do a good job of defending our conclusions and finding ways to improve confidence and clarity further).

There are some important points I want to make clear regarding the VIPS memo(s), etc:

VIPS are NOT giving anyone any formal endorsement here.

The VIPS memos are effectively just requests for conclusions to be verified.

Hopefully, the above clarifies exactly what VIPS’ position is, doesn't promote any nonsense perceptions, and openly shares with you a dissenting opinion from a respected intelligence community expert.
(It may be the case that a misstatement or miscommunication resulted in one of the points in the memo not being strictly true or that something may have been stated as absolute rather than indicated as most probable. Either way, we're transparent about it and don't feel the need to hide away from legitimate criticism. We will attempt to provide more information to add clarity and strengthen the basis of conclusions in response to this dissenting view.)

4Chan Concerns Regarding Forensicator

Recently I've noticed some concern being expressed about Forensicator being an effort to derail my research. I appreciate the concern but this shouldn't be a problem.

Forensicator and I are both well aware of how strawman arguments can be used and that is one of the reasons Forensicator opted for publishing via a separate blog - it was a conscious decision to make sure both our efforts would be insulated from one another, meaning instead of someone being able to discredit one to discredit all the research, they now have to discredit both on their individual merits in order to argue that Guccifer 2.0 was, beyond reasonable doubt, associated with the Kremlin or Russian intelligence agencies.

The only group that's really likely to be weakened by Forensicator's work being added under these circumstances are those that are trying to prop up the false narrative.

Really, right now, the biggest threat to my efforts comes from people trying to conflate Guccifer 2.0 with entities we have no indication of him having any connection with (eg. the Awans, Seth Rich, etc), as such conflations will be used by the MSM to try to make out that anyone investigating any of these subjects individually must inherently believe in all conspiracy theories, etc.

(3) Common Logical Fallacy Attacks

One of the various disingenuous ways in which people try to undermine our research and/or analysis is to use logical fallacies. This list is far from exhaustive but gives a quick overview of what some of these attacks look like (and how to handle them if you need to do more than just call out the tactic):

Strawman - Misrepresenting someone's argument to make it easier to attack

"They think it's impossible to get 23MB/s over the Internet so they think a USB stick must have been used!"In reality, the conclusions are simply stated as being the most probable explanation for those speeds and it's also consistent with the overall observations made (eg. many alternate theories are discredited simply because the would-be debunker fails to consider that their theory introduces unexplained anomalies (eg. timestamp resolution suggesting use of a USB at an early stage; timestamps suggesting an EDT timezone; timestamps being sequential and interleaved across some directories; the apparent timezone being inconsistent with the premise Guccifer 2.0 pushed regarding Romanian nationality, etc - making it an odd manipulation to opt for).

"Meta data can be faked so obviously everything about the fingerprints is meaningless!" In some cases, such as the effort to frame Russian hackers for the leaks, we can disregard the metadata completely and still demonstrate a methodical process just by using RSID data alone.

"Other things are possible so this is all just speculation!" Quite often we hear this when someone thinks they have a viable theory that is close to having a similar likelihood of being true as the conclusions stated. In most cases, though, the theory presented introduces anomalies or struggles to explain factors that hadn't been fully considered when they came up with the theory.

False Cause - Presuming that a real or perceived relationship between things means that one is the cause of the other

We see this being used to prop up the mainstream narrative repeatedly and have even seen it used to try to insert a leak-discovery date assumption that is likely to be false.

eg. Donald Trump Jr’s meeting with a Russian lawyer happening only 6 days before Guccifer 2.0 released his first files. (Sam Biddle of The Intercept wrote a very puzzled piece trying to squeeze this event-date into a unified ‘Guccifer 2.0 as Russian hacker’ theory. Unfortunately, Guccifer 2.0’s early email outreach to various journalists was very successful in setting up these journalists with pre-conceived notions they later find hard to shake off.)

eg. Matt Tait's references to GOP opposition researcher Peter Smith occurring days prior to the DNC Leaks first being published.
(Matt seemed to want to let everyone know that Smith's deep-web contact *might* be Russian, because he suspects he might have been, despite lacking any indication of it. It's a good thing Ben Wittes' Lawfare blog gave Matt a platform to get such a bombshell assumption out to the masses!)

eg. George Webb's assertion that a data transfer to the Clinton Foundation was a sign that they were aware of the leaks. (This was an example of false cause. There's more to suggest DNC/CrowdStrike awareness came about between June 12th and June 14th 2016.)

Appeal to Emotion - Manipulating an emotional response in place of a valid or compelling argument

suspicion ("What's your agenda?")Accepting what evidence shows and sharing it is not the sign of a suspect agenda.

moral outrage ("You're just doing this to distract from [This week's RussiaGate story]")Just point out that it wouldn't matter which week information was published during the past six months, it would still end up conflicting with one of the many RussiaGate-themed nothing-burger stories the MSM have fixated on relentlessly, and all predictably without leading to anything.

Slippery Slope - Asserting that if we allow A to happen, then Z will consequently happen too, therefore A should not happen

"If we investigate this, it only serves to weaken public confidence in democracy, which, obviously, would just be helping Putin!"

Bandwagon - Appealing to popularity or the fact that many people do something as an attempted form of validation

"Multiple respected cyber-security agencies have concluded that it's Russia so it must be Russia."Which doesn't matter much when they were led astray by the firm the DNC hired to investigate and that almost all third-party research accepted at face value (some even apparently assuming IOCs were all related to the exfiltration of emails/files and that X-Tunnel and PAS tools were specifically indicators of Russian hacking when it doesn't seem like there was actually evidence produced to support these assumptions or justify these attributions) while the FBI's help was declined.

"Are you saying everyone in the MSM is wrong but a site nobody's heard of has got it right? That's ridiculous!" If the MSM could have easily discredited this site, they would have done so long ago, instead they've avoided it, stubbornly resisted giving new discoveries any attention, and repeatedly cited the discredited JAR report assessments, which were discredited within approx 45 days of being published (which, at the time of writing this, makes them discredited for 5+ months so far!)

Appeal to Authority - Saying that because an authority thinks something, it must therefore be true

"What makes your research better than 17 intelligence agencies?"It incorporates exculpatory evidence that discredits assessments relating to Guccifer 2.0 that were given by three intelligence agencies and that were published in the JAR report that ODNI/DHS released on December 29th 2016.

Anecdotal - Using personal experience or an isolated example instead of a valid argument, especially to dismiss statistics

"I work in infosec and nobody I know would ever take this seriously!"I don't think VIPS would have given it any consideration if the research appeared to be driven by partisanship, contained specious or misleading claims, or was as difficult to take seriously as some of the anonymous self-proclaimed infosec experts on social media like to assert!

(4) Technobabble & Debunking Delusions

Self-Proclaimed Experts That Present No Technical Challenges

Let's start with one of those self-described security experts who doesn't tackle a single claim or demonstrate technical expertise. In this instance, we have someone that insisted both u/tvor_22 and I were clueless and don't know how to interpret data, because we're not experts - like he obviously is.

Unsurprisingly, Wyn never did return to actually share his expert opinions.

Plausible-Sounding Lies That Require Technical Knowledge To Debunk

Of course, attacks aren't always this blatant and easy to spot, some are trickier to detect and use technobabble to push misconceptions and degrade an argument by appearing to debunk something (when they're actually debunking nothing).

Here is one example specifically relating to the deliberate placement of fingerprints and RSIDs, the highlighted assertions are false:

Ad-Hominems, Pretending To Be Obtuse, Debunking Delusions

@trickfreee aka "Patrick" probably deserves credit here...

His latest debunking effort consisted of asserting that one of Guccifer 2.0's first three documents could have been opened as an original and then been tainted through mishandling and so he considers, with that being an apparent possibility, it means I'm debunked.

Of course, this debunking attempt suffers from the same flaw many others do, in that it presents an alternate theory that makes things anomalous or introduces anomalies.

The RSID correlations would still mean that the first document would need to be saved, closed, re-opened, then have content copied/pasted in from a different original document, be saved as a new document, be closed, then one of the two docs made so far would need to be re-opened and another copy+paste from a third original document would be carried out, with the result being saved as a new, third file. So, it STILL is clearly not compliant with accidental mishandling and sloppiness of a supposed Russian hacker AND Flood's name being on all three documents (none of which Flood originally authored) then becomes an inexplicable anomaly.

This is very similar to the following person trying to do the same thing relating to stylesheet RSIDs ("Controls Freak" is actually quoting a 3rd party who had, thankfully, checked and verified things for themselves and could call him out on this -full thread is here)

The problem here is that he pretends to debunk something (which he doesn't, he just tries to dismiss it with a seemingly plausible deception) and then asks the person to provide another example (which, if given, he would repeat the process with).
Thankfully, the person he tried this on was someone that had checked and verified what was claimed about the files and had enough knowledge to be wise to this, but many would be caught off guard by it and believe the discovery had been legitimately discredited.

(5) Meta Manipulation

Of course, as we all know, timestamps and metadata can be manipulated.

However, this doesn't inherently make timestamps and metadata entirely worthless for analysis.

While it's true that many simply gauge metadata validity based on whether it is being used to attack or support their predetermined conclusions or partisan bias, Forensicator and myself have both looked for ways to assess timestamp integrity and have checked inconsistency in timezones, timestamp resolution, noted any apparent anomalies, etc., and sought to find other ways to corroborate/support our conclusions.

For the deliberate fingerprint fabrications the RSIDs helped us to make sense of what looked, at first, to be anomalous timestamps. In the first batch of RTF files there was ultimately no indication of any direct tampering of the raw data and supporting RSID data helped to corroborate them.

For the July 5th file transfers, the difference between timestamps, the fact that timestamps on some files are interleaved between multiple folders, the consistency of timestamps throughout all archives and consideration being given to what timezone Guccifer 2.0 would use if he was going to manipulate these files (considering he claimed to be Romanian) were all looked at and the conclusion, again, is that there were no signs of arbitrary modification or time manipulation (if this had been the case, it would have been counterproductive to creating a perception of Romanian origins!)

We do typically disclose all these additional details but sometimes it's necessary to check comments, FAQs, additional articles, etc on each of our respective sites.

(6) Seth/Awan/G2 Conflation

In the past six months, I have NOT seen any direct indication that Guccifer 2.0 had any connection to the Awan Brothers.

In the past six months, I have NOT seen any direct indication that Seth Rich had any connection to the Awan Brothers.

The only reference connecting Guccifer 2.0 to Seth Rich was a specious claim that Guccifer 2.0 made when trying to associate himself with Seth during a conversation he had with Robbin Young.

The date of these unsoliticited remarks, coming immediately after news reports had pushed a potential association between Seth Rich and Wikileaks, and Guccifer 2.0's linking of Julian Assange as "connected to the Russians" in the same conversation, can also be interpreted as a pre-emptive "poison the well" attempt, ready to be deployed at a later date should the association between Seth and Wikileaks gain any more traction.

I'm also unaware of any solid Seth-Awan connections. Matt Couch and the America First Media team (who are actually investigating Seth's murder thoroughly) have recently debunked a claim relating to this - a baseless claim that Seth and one of the Awans went out the night before his death.

It is now the case that both those carrying out the most thorough investigation into Seth Rich's murder and several of us investigating things in relation to Guccifer 2.0 are all saying the same thing - trying to warn people to NOT unduly conflate separate entities.

If you're convinced Guccifer 2.0, Seth Rich and the Awan family are linked despite all of this, and you're getting the information from anyone other than Webb/Goodman/Negron, please tweet or DM me with the details of the source/reasoning.

Thank You

Thank you to anyone still reading this far down the page for caring about this topic enough to have the perserverance to get this far. It's a complex topic and one that's difficult to fully get to grips with if only parts of it are known. I know it takes a fair bit of effort to read through and fully take on all the information but when you've got it all understood things do become clearer. You'll recognize that you're on the right path when all the pieces of the puzzle start clicking together and you see how and why I've come to the conclusions I have.

Thanks goes out to Forensicator, u/tvor_22, strontiumdog, "Clever Librarians" and MANY other people (too many to name here without this being a massive list of names but I'll figure something out so everyone who would like credit has a way of claiming it for acknowledgement in the near future) for all their contributions, ideas and support.

Thanks also to Disobedient Media, H.A Goodman and Tim Black, ZeroHedge, Tracy Beanz, Rick Amato, Hard Bastard, BullTruth Magazine, Sane Progressive, "Clever Librarians" (again) and many more (same thing as mentioned above regarding credit) for helping to get the word out to their followers, viewers, readers or subscribers AND for trying to take care to get that information out without mixing things up or conflating/spinning/etc.

...and yes, I will get to articles on broader topics for publishing elsewhere (which some of you know about) soon, I promise... I just had to get this update out to get some clarifications out, make sure people are armed with rebuttals to deal with the objections, smears, lies and spin that we've seen, which I anticipate will escalate going forward and will persist if people don't know how to recognize its various forms and quickly disarm it.